SecPKCS12Import returns empty array when certificate expires after Jan 1st 10000

Originator:everbloom
Number:rdar://14553560 Date Originated:26-Jul-2013 10:32 AM
Status:Open Resolved:
Product:iOS SDK Product Version:6.1
Classification:Other Bug Reproducible:Always
 
26-Jul-2013 10:32 AM Catherine Wise:
Summary:
When the expiry date on a certificate contained in a PKCS#12 format file is on or after January 1st, 10000 (AD), SecPKCS12Import returns errSecSuccess but the passed in CFArrayRef is returned empty. This is undocumented.

Steps to Reproduce:
Today: 26th July 2013. January 1st 10000 is 2,916,975 days from today.

Create certificate with OpenSSL (older built-in openssl okay):

openssl req -new -x509 -keyout key.pem -out cert.pem -days 2916985
openssl pkcs12 -export -out set.p12 -inkey key.pem -in cert.pem

Pass a NSURL with the location of set.p12, and the password chosen to:

+ (void) fromP12File:(NSURL *)file withPassword:(NSString *)password {
    OSStatus securityError = errSecSuccess;
    NSData *fileData = [NSData dataWithContentsOfURL:file];
    
    const void *keys[] =   { kSecImportExportPassphrase };
    const void *values[] = { (__bridge CFStringRef)password };
    CFDictionaryRef optionsDictionary = NULL;
    
    optionsDictionary = CFDictionaryCreate(NULL, keys,
                                           values, (password ? 1 : 0),
                                           NULL, NULL);  
    
    CFArrayRef items = NULL;
    securityError = SecPKCS12Import((__bridge CFDataRef)fileData,
                                    optionsDictionary,
                                    &items);                    
    
    if (securityError == 0 && CFArrayGetCount(items) > 0) {                                 
        NSLog(@"Count: %ld", CFArrayGetCount(items));
    } else if (securityError == 0) {
        NSLog(@"EMPTY RAGE.");
    } else {
        NSLog(@"Error: %ld", securityError);
    }
    
    if (optionsDictionary)                                     
        CFRelease(optionsDictionary);
    
    if (items)
        CFRelease(items);
}

Expected Results:
Should log "Count: 1".

Actual Results:
Logs "EMPTY RAGE".

Regression:
Occurs with iOS SDK, on device and simulator, so likely to also be a problem on Mac.

Notes:
Really, having certificates that expire after 10,000 AD isn't going to occur very often, unless you do what I did and just pick a very large number for days. Or something like MAX_INT. Just put a note in the document not to use dates on or after 10,000 AD please.

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!